Snort mailing list archives
Generating email alerts of overactive source IPs
From: Claude Bailey <Claude.Bailey () RIAG com>
Date: Tue, 8 May 2001 16:22:23 -0500
I use this script with an hourly cron job to send me an email listing of any source ip addresses that have tripped more than a certain number of Snort alerts during the last hour. Hope you find it useful. Claude Bailey #!/usr/local/bin/perl # # Filename: overactive_ip.pl # Author: Claude Bailey, modified from script by Andrew R. Baker # Modified: 2001.04.10 # Purpose: This script is intended to run as an hourly cron job # to send an administrator an email containing the ip # address of any source host tripping more than a certain # number of Snort alerts. The script # handles only the new format of "-A fast" alerts # # use Getopt::Std; if($ARGV[0] eq undef) { print STDERR "USAGE: overactive_ip.pl <alertfilename>\n"; exit; } open(INFILE,"< $ARGV[0]") || die "Unable to open file $ARGV[0]\n"; while(<INFILE>) { chomp(); # if the line is blank, go to the next one if ( $_ eq "" ) { next } # is this a "new" style fast alert if( $_ =~ /^.+\s\[\*\*\](\s)*.+\[\*\*\]\s/) { # split the alert apart ($datentime,$alert,$srcdest) = split(/\s\[\*\*\]/,"$_"); ($src,$arrow,$dest) = split(' ',"$srcdest"); ($saddr,$sport) = split(/:/,"$src"); ($daddr,$dport) = split(/:/,"$dest"); $alert =~ s/^(\s)*//; $alert =~ s/\s/_/g; $a = "$saddr $alert $daddr $datentime"; } else { print STDERR "Warning, file may be incomplete\n"; next; } # put the alerts into a list push (@alerts, $a); } close(LOG); #sort the alerts @list = sort(@alerts); # Determine source IPs with multiple alerts $source=""; $message=""; $count=0; $size = @list; for ( $i = 0 ; $i < $size ; $i++ ) { $a = $list[$i]; ($saddr,$alert,$daddr,$datentime) = split(/\s/,"$a"); if (($source eq $saddr) and ($message eq $alert)) { next; } if (($source eq $saddr) and ($message ne $alert)) { $message = $alert; $count += 1; } #set the excess alert count value on the next line if ($count > 3) { push (@multialerts, $source); } if ($source ne $saddr) { $source = $saddr; $message = $alert; $count = 0; } } # write IPs with excessive alerts to a file #open(OUT, '>alertsorted') or die "Couldn't open the multialerts file"; #print "IPs with 4 or more alerts \n";
Current thread:
- Generating email alerts of overactive source IPs Claude Bailey (May 08)